- Class-action lawsuits targeted cybersecurity, worker rights in 2021 - December 31, 2021
- Ponzi scheme class-action lawsuit an ‘inventive’ brand of litigation - December 20, 2021
- Failing to adequately safeguard data results in $3.44M settlement - November 30, 2021
By Tony Poland, LegalMatters Staff • A cybersecurity lawsuit currently before the courts could be the catalyst in defining and expanding the interpretation of the tort of intrusion upon seclusion, says Toronto class action lawyer Margaret Waddell.
At issue in Owsianik v. Equifax Canada Co. was “the question of whether a claim for intrusion upon seclusion can succeed against the collectors and custodians of private information,” according to court documents.
The class action lawsuit was filed in a computer hacking case and certified by a motion judge on a number of causes of action, including intrusion upon seclusion. However, last month an Ontario Divisional Court panel overturned the certification in a 2-1 decision. The plaintiff is now seeking leave at the Ontario Court of Appeal (ONCA).
“Hopefully leave will be granted and the Court of Appeal will take the opportunity to define the parameters of this tort,” says Waddell, a partner with Waddell Phillips Professional Corporation. “It is important to get the ONCA to determine just how broad the tort of intrusion upon seclusion is intended to be in the modern context. As technology changes, we must let the law evolve to accommodate those changes. The tort was first recognized more than a century ago, and the world was a very different place then.
“The application of intrusion upon seclusion to internet hacking is new and developing law. We should not throw out the claim on a pleadings motion when it really ought to be decided on a full merits-based argument,” she adds. “This is on the top of everybody’s radar in the privacy field. It’s an important issue, as it should be.”
‘On the top of everybody’s radar’
The class-action lawsuit involves a 2017 hack of Equifax’s computer network that the plaintiff claims exposed the personal and financial information of its customers in Canada and the United States.
The Superior Court was told that Equifax notified about 20,000 Canadians that their personal information had been accessed by hackers.
“During the time period when the breach occurred, 318,342 people in Canada had subscriptions with Equifax for credit monitoring and identity theft protection services,” the court heard. “In addition to the impacted Canadians, Equifax announced that the cybersecurity breach impacted 143 million U.S. consumers and involved the unauthorized access to such information as Social Security numbers, names, dates of birth, addresses, drivers’ license numbers, credit card numbers and other kinds of personal information.”
The plaintiff claims, “Equifax knew that their IT security was inadequate and vulnerable to hackers and made the choice not to take the necessary steps to guard against the hacking that led to the breach at issue,” the court was told.
The case asserts various causes of action, including the tort of intrusion upon seclusion, which was first recognized in Ontario in the 2012 ONCA decision of Jones v Tsige. However, Waddell tells LegalMattersCanada.ca that the limits of the tort still need to be tested.
“This law is definitely in a state of flux. This is certainly the kind of case that is really screaming out for some appellant direction on just what the scope of this tort is,” she says. “There is an opportunity to confirm the parameters of what this tort is meant to cover, particularly with hacker breaches where the person collecting the information has been reckless in the way that they’ve been storing it.”
Option to proceed as negligence case
In overturning certification in the Equifax claim on the ground of intrusion upon seclusion, the majority of the Divisional Court noted that the plaintiffs still have the option to proceed as a negligence case.
However, Waddell, who was not involved in the case but comments generally, explains that is not an effective alternative in a cybersecurity case such as this.
“The challenge with negligence is that one of the requisite elements to make out in the tort is proof of harm,” she says. “Often in these hacker cases, the plaintiff will not have direct proof of consequential harm by the time they get to certification because the perpetrators haven’t released the data in a way that can be traced to a particular hack.”
- Every privacy breach is serious in the eyes of the law
- Game on! in a potential legal battle in Canada over loot boxes
- Representative plaintiffs ought to be rewarded for their efforts
Waddell says to avoid detection from investigators, information collected by hackers may not be released for years. The information could also be sold off in bits and pieces.
Because the damage inflicted may take years to detect, a negligence claim could be challenging, she says, unless the courts accept that the privacy breach, and loss of control of one’s personal information is in and of itself an inherent harm, and that proof pecuniary loss is not necessary.
“If there isn’t some remedy when you aren’t able to prove a pecuniary loss, but you have suffered a loss of privacy, then there’s a real hole in the law,” Waddell notes. “For that reason, this case also illustrates why requiring proof of physical or monetary injury is harm is wrong – missing the point of the injury that the victim has suffered. There is a moral, or inherent wrong arising from the keeper of the private data storing it negligently, and letting someone peer into those records.
Presently, some of our courts have been dismissive of claims where all the plaintiff can prove is a risk of pecuniary loss of loss of identity, and these moral damages.
‘We should be expanding negligence’
“Perhaps we should be expanding negligence to include what can be considered a clear and present danger, a real risk that the negligence will lead to harm, and confirming that the inherent injury arising from the privacy breach is compensable.”
Waddell says she was encouraged by the remarks of the dissenting judge, Justice Harriet E. Sachs.
“The dissent really does open the door for leave to be granted by the Court of Appeal. She’s saying, ‘This is an expanding area of law. Technology is changing. The law needs to adapt to change with it, and we shouldn’t just be slamming the door shut based on the interpretation of a single word in the definition of the intrusion upon seclusion tort,’” she says.
Justice Sachs states “the rights at issue are fundamental rights that are facing unprecedented threats. The common law should be allowed to develop in an incremental way to see how far the tort should be extended to meet those threats.”
Waddell says at issue is basic consumer protection and accountability.
“If a company has been entrusted to keep your data safe and they fail to do that, it is like leaving the garage door open so your car can be stolen,” she says. “If there isn’t an intrusion upon seclusion tort or there is no other tort that applies, then it really does give the holders of private information a free pass when they are negligent. That shouldn’t happen.”
More from Waddell Phillips Professional Corporation:
SCC child support judgment is ‘a great decision for clarity’
Pingback: Order for parental visit at Turkish resort unusual and concerning ⋆ LegalMattersCanada